extern/django-helpdesk
1
0
Fork 1
mirror of https://github.com/django-helpdesk/django-helpdesk.git synced 2025-01-19 04:19:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improve permissions to view pages, to partially address #326

Browse Source
This commit is contained in:
Garret Wassermann 2017-12-15 17:18:54 -05:00
parent f173b6a859
commit 1d63e25855
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
helpdesk/views/staff.py
View File

@ -86,6 +86,15 @@ def _has_access_to_queue(user, queue):
return user.has_perm(queue.permission_name) return user.has_perm(queue.permission_name)
def _is_my_ticket(user, ticket):
"""Check to see if the user has permission to access
a ticket. If not then deny access."""
if user.is_superuser or user.is_staff or user.id == ticket.customer_id:
return True
else:
return False
def dashboard(request): def dashboard(request):
""" """
A quick summary overview for users: A list of their own tickets, a table A quick summary overview for users: A list of their own tickets, a table
@ -173,6 +182,8 @@ def delete_ticket(request, ticket_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue): if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied() raise PermissionDenied()
if not _is_my_ticket(request.user, ticket):
raise PermissionDenied()
if request.method == 'GET': if request.method == 'GET':
return render(request, 'helpdesk/delete_ticket.html', { return render(request, 'helpdesk/delete_ticket.html', {
@ -192,6 +203,9 @@ def followup_edit(request, ticket_id, followup_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue): if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied() raise PermissionDenied()
if not _is_my_ticket(request.user, ticket):
raise PermissionDenied()
if request.method == 'GET': if request.method == 'GET':
form = EditFollowUpForm(initial={ form = EditFollowUpForm(initial={
'title': escape(followup.title), 'title': escape(followup.title),
@ -257,6 +271,8 @@ def view_ticket(request, ticket_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue): if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied() raise PermissionDenied()
if not _is_my_ticket(request.user, ticket):
raise PermissionDenied()
if 'take' in request.GET: if 'take' in request.GET:
# Allow the user to assign the ticket to themselves whilst viewing it. # Allow the user to assign the ticket to themselves whilst viewing it.
@ -952,6 +968,8 @@ def edit_ticket(request, ticket_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue): if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied() raise PermissionDenied()
if not _is_my_ticket(request.user, ticket):
raise PermissionDenied()
if request.method == 'POST': if request.method == 'POST':
form = EditTicketForm(request.POST, instance=ticket) form = EditTicketForm(request.POST, instance=ticket)
@ -1031,6 +1049,8 @@ def hold_ticket(request, ticket_id, unhold=False):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue): if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied() raise PermissionDenied()
if not _is_my_ticket(request.user, ticket):
raise PermissionDenied()
if unhold: if unhold:
ticket.on_hold = False ticket.on_hold = False
@ -1410,6 +1430,8 @@ def ticket_cc(request, ticket_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue): if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied() raise PermissionDenied()
if not _is_my_ticket(request.user, ticket):
raise PermissionDenied()
copies_to = ticket.ticketcc_set.all() copies_to = ticket.ticketcc_set.all()
return render(request, 'helpdesk/ticket_cc_list.html', { return render(request, 'helpdesk/ticket_cc_list.html', {
@ -1425,6 +1447,8 @@ def ticket_cc_add(request, ticket_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue): if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied() raise PermissionDenied()
if not _is_my_ticket(request.user, ticket):
raise PermissionDenied()
if request.method == 'POST': if request.method == 'POST':
form = TicketCCForm(request.POST) form = TicketCCForm(request.POST)
@ -1464,6 +1488,8 @@ def ticket_dependency_add(request, ticket_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue): if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied() raise PermissionDenied()
if not _is_my_ticket(request.user, ticket):
raise PermissionDenied()
if request.method == 'POST': if request.method == 'POST':
form = TicketDependencyForm(request.POST) form = TicketDependencyForm(request.POST)
if form.is_valid(): if form.is_valid():
@ -1498,6 +1524,8 @@ def attachment_del(request, ticket_id, attachment_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue): if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied() raise PermissionDenied()
if not _is_my_ticket(request.user, ticket):
raise PermissionDenied()
attachment = get_object_or_404(Attachment, id=attachment_id) attachment = get_object_or_404(Attachment, id=attachment_id)
if request.method == 'POST': if request.method == 'POST':